Well, here we are nearly at the beginning of November and the Red Flags Rule has been with us for nearly two years and the FTC’s November 1, 2009 enforcement date is upon us as well (I know I’ve said that before). There is little value in me chatting about the core requirements of the Red Flags Rule at this point. Instead, I’d like to shed some light on what we are seeing and hearing these days from our clients and industry experts related to this initiative:
Red Flags Rule responses clients
1. Most clients have a solid written and operational Identity Theft Prevention Program in place that arguably meets their interpretation of the Red Flags Rule requirements.
2. Most clients have a solid written and operational Identity Theft Prevention Program in place that creates a boat-load of referrals due to the address mismatches generated in their process(es) and the requirement to do something with them.
3. Most clients are now focusing on ways in which to reduce the number of referrals generated and procedures to clear the remaining referrals via a cost-effective and automated manner…of course, while preventing fraud and staying compliant to Red Flags Rule.
In 2008, a key focus at Experian was to help educate the market around the Red Flags Rule concepts and requirements.
The concentration in 2009 has nearly fully shifted to assisting the market in creating risk-based authentication programs that leverage holistic views of a consumer, flexible tools that are pointed to a consumer based on that person’s authentication and risk profile. There is also an overall decisioning strategy that balances risk, compliance, and resource constraints.
Spirit of Red Flags Rule
The spirit of the Red Flags Rule is intended to ensure all covered institutions are employing basic identity theft prevention procedures (a pretty good idea). I believe most of these institutions (even those that had very robust programs in place years before the rule was introduced) can appreciate this requirement that brings all institutions up to speed. It is now, however, a matter of managing process within the realities of, and costs associated with, manpower, IT resources, and customer experience sensitivities.